Edit tour

Windows Analysis Report
Xworm V5.6.exe

Overview

General Information

Sample name:	Xworm V5.6.exe
Analysis ID:	1473530
MD5:	56ccb739926a725e78a7acf9af52c4bb
SHA1:	5b01b90137871c3c8f0d04f510c4d56b23932cbc
SHA256:	90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405
Tags:	exe
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Powershell download and execute

Yara detected RUNPE

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected XWorm

.NET source code contains very large strings

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Yara signature match

Classification

Process Tree

System is w10x64

Xworm V5.6.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\Xworm V5.6.exe" MD5: 56CCB739926A725E78A7ACF9AF52C4BB)

WerFault.exe (PID: 7588 cmdline: C:\Windows\system32\WerFault.exe -u -p 7264 -s 1268 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Xworm V5.6.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
Xworm V5.6.exe	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Xworm V5.6.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Xworm V5.6.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Xworm V5.6.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Xworm V5.6.exe	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
Xworm V5.6.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9836f7:$s6: VirtualBox 0x98351f:$s8: Win32_ComputerSystem 0x991fc2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x992013:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9920a0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x989f4a:$cnc4: POST / HTTP/1.1
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7f4f7:$s6: VirtualBox 0x7f31f:$s8: Win32_ComputerSystem 0x8ddc2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8de13:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8dea0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x85d4a:$cnc4: POST / HTTP/1.1
00000000.00000000.1706082399.0000020B26659000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1706082399.0000020B26659000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
Process Memory Space: Xworm V5.6.exe PID: 7264	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: Xworm V5.6.exe PID: 7264	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: Xworm V5.6.exe PID: 7264	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Xworm V5.6.exe PID: 7264	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
Process Memory Space: Xworm V5.6.exe PID: 7264	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x14202:$s6: VirtualBox 0x1402a:$s8: Win32_ComputerSystem 0x1ff5f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1ffb0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2003d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x19673:$cnc4: POST / HTTP/1.1
Click to see the 5 entries

Base64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAB4AAAAQ4CAIAAABnsVYUAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAKdAZJREFUeJzsneuS2zjPredGpiMn+X7uN31y5v7vbMtNmwYPC8IiQVt2swo1ldbIEokTwUcS+c/y+U7J4eODkuXjLcjh8/3n8WOV9d8/3l/XP6PEc8JplPz6OEl5XGn/8v4e5NrId9ivtamy8aG168EgscHx4OHzJJUeJZc9RgmXLYXVAyuhbbJ3tXZW7JjJz8/PoMAfb29RFH3S0tHHUqXRTNde4/vKbl4tbomR9bJRPl8LKZrq1N/MvmV8KfZFsto3mDgGTjCxxV49cQ0F+eclqDP59fHRIJXrfwIBfXx5+3OKjuPHr7+fIemdz2HzZ5qmYuLKMtj1COsnQGQWOrf87fUkbPtRjGRu+ZXJf76//fioy8v76yrh3zLKVvWef/735KhBCdFjKzHllZdIP0QyvD1nRxXKP76u8uPzz0kSJb+vktlI5tL1v+c0eDHB8vnOxgvdfjaHOOjqJC/vq8uddRL+r8yEhBR+niXnWwvpt3Q+AXUCe50wRsvfnjMSqX9Zqpkak9o6jncvr6+hsIkxe1YR9vP42/CTn+t/33i7Axtt9jd2ecNeOD9nEirtmIR/pHaR40WSsYEdoTkG50OkhzBMV0Y9p7hDcaHXkMtFmZnO7dePdW85VanbBbQHjcv3she0IzkfLK2c6arwUrWed2p/KT9FKbv+OyST5fU1NjILea98zsrPtR778qIQ/i9ptVAKspf0sR7+gKQczfXxHZZwhtqmp/5Bes7gQz6Ltwu+dZWToDHIq74NRddJUcfVkT7Xf/w4DTpvaJz99+31VKEdP3/+Pa6y/mP9MxysCsqZXv7P1j9wns7f91CMxfp9XfqOZtCn1LRWO29vIVldjxv4STLuXIqu6EuWOrziKoIGhHNkbT9uPErqxtRYJRNQ8jP0Kxy81UBG9QC8LylVN1Z87B/6BqTBZGueDECXhUvsV6VHlYufALTXhI2VWLXkQ9eWHfMCd2cAulRgOanYssv1vvHkTQBdVktPA6DLRKbZ1ymuoeCE61IAeQHoEFkyabTp/14AuuxXyLQsYLUPVDqARhOSCKBPqr4AaC2HDPYfVj/s9en2TABN6+ojTHuuk5YeE5AF2XBh/f9O7aza3QVAG/Xz0ADaHjJKfs4k5P8qDM3emUhyNbAjjOvB+ZByPMc4RfUz1P9gAA3tslXfTgB9n3q+yDwhKcVG7gRAB7+Nj6B0+rzsAEBf0UzTA+YJoH2FBdDx/ACg4/nfEEAreUxvZ1eXzc5ziQWSadb87aEB9DVFFxB5AugBBUeaHx8OQKPAjgczvgl7pF7fnrC8JFYt+dBFtnNvABpNwGCC3rpvvJQOoOUbmgmGfnAAnSW1CaCNADrL7yHjNQCUewHo7COPteW/P08iwzwL+aEAGo1NJYCuvJ5/Q/95FAB9lsQo+ZlSb48CoHv0DGO8x15kQTZaaP+8VzudACUNZMWLNjGiJYDOI31nALraTQVMKPk5EwVAZ7IJoB3t2xCP9TbX3pR3jFNUP0P93wNAK/4wGkCz+Qf197YA2hC5Xv5TzFj3CaCXGjs+4AcbdwTQ0vGyg4TfTgDtKpfXIPJXATYBdAasvxuAxl/kb7ezq8s4vqKksUAyzSZ/2yGAjr+9pugCIjeMd0rwVgP5+wJomSKtxahB7gWgw7/RohmVHqFAnUtwuAY8+uQWvcluuW+8ziaAlgw6VE4TQPsO8Ja29RRJXgBaKiGWAidayuu87OPh4xYAOuvXmmbvCKDjhHxJP/FeVbpcZtprLqqvD3ND/6EBX0c8mtozAXQTgI7zmVi8biw9hIQsyEYL7Z/3aqcToGzznyyiUWGz7A9Al1fQ60klP2fyrQD0UH9OBOl/GIAuT7b4wwTQ7i5BSfn5xXk8ElO5PQDo8i0cWbmVcl8AnWXUCaCrIYmC1C0nC5kAuq0x2cgVc4KlnV1dxvFVrt6pzAehPDiATurG1C5X/Yv4ov0KB281kL8dgEYFkFcwjAbQegsryLjI1LrjTgDtHPBOABo9UWDv++gAmh4AnOIaiqGdiSBwDGR3ABrYUZ84EX4CRPr/OdLfT8tAs4CPBdAwzxQL6QStxq+5w9vl9fxj8B/Wr2g/vBOArmhAXb8SwaMJoCeANl2fnICx12z2H3lBpb6qU+b35Hgys9oZgGarRx3MJRng/ST6OWdJ8zznGzfNhJW2RQ/xrcPZuMgW79o8X7m+/HfzC0Dw+k52YfMPas+jA2jUzrgngaRy65HYyJ0A6HJ1Sj2O7gWg7RlV90+U65BNvfLV3gC0V30r3VtHz7I2M1mq8P8R0c3m+QXM7xruW4abMZ939XdL5NtCL7Y9tFC8ENG6JwB9bXBKA8oxtCU/4+CtBjILoHtCoOrkmdwIQFcXTXYJhnsBaBjwKFQMieCW5U6sWvKhCzk0aOc+AXQ1BuqFJvbbrHLS7YI/9Z0A2tWfDe1MC8T7AOgsv7cvwXE/AJ0/qrnJJoSWfJjkn6P4SOULQL+8vua+avAf1q9oP5wA+qEAdFm8NtqLLMhGC+2f7PUH1DPJdZr8J15qEyxmoDkG9ZUjZ6/27A9AV7UHdYukrPSeGkBLGfEiCBsXvgC6Uuej+Orwzx5h8w/q73AAbfIi8zId5nb++/YqAXSEdLGR+wHQpRcpfnVHAB0UIj/ga/DPCaA34pc1Cg+gCWM9L4AOYh+53GozGz/8tgA6ae1lLH55+5OYW3TQK36rYXt4IABtcQiLPDqArm48uB6EmxCGrQUngGYD2yvgCwW2bUKIVlbh7/uEAFr7VA34tpvrGtqZFoj3AdBumxDeCUCXVz4DCBbI4utnetMBNNJzsqnAx8fL6+sE0HpUhiy0fPz5EqHYMB97cADdoyXZzrkJYRuw8Kpnyke/WbFu95/sspsAWrLmTD+HYnHDvQHoUmkba0E

Source: Xworm V5.6.exe, 00000000.00000002.1953599922.00000031A3760000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdb
Source: Xworm V5.6.exe, 00000000.00000002.1954538675.0000020B26B1C000.00000004.00000020.00020000.00000000.sdmp, Xworm V5.6.exe, 00000000.00000002.1962772586.0000020B432E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@0/0

Source: C:\Users\user\Desktop\Xworm V5.6.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7264

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\e61b8e20-0be3-42be-b74b-ee1a1b7e5944

Jump to behavior

Source: Xworm V5.6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Xworm V5.6.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Xworm V5.6.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Xworm V5.6.exe

ReversingLabs: Detection: 72%

Source: Xworm V5.6.exe	String found in binary or memory: -help
Source: Xworm V5.6.exe	String found in binary or memory: Check charset encoding and -scs switch.Cannot find listfilebsobbbtbdba-helph?asut012sea0-pstlsdelsncsnrsnssnisnlsnhspfspespdsasscsswsltsccscsslpsosiscrcsemlsfxstmrvuanaxaiiwstxtaoadybspbseUnsupported switch postfix -stmUnsupported switch postfix -bbDuplicate archive path:Incorrect Number of benmchmark iterationsOnly one archive can be created with rename commandstdout mode and email mode cannot be combined-ai switch is not supported for this commandCannot use absolute pathnames for this commandArchive name cannot by emptyCannot find archive nameUnsupported -spf:2Unsupported command:The command must be spcifiedThere is no second file name for rename pair:Unsupported rename command:-rIncorrect wildcard type markerToo short switchUnsupported Map data sizeMap data errorUnsupported Map dataMapViewOfFile errorCan not open mappingIncorrect volume size:incorrect update switch commandUnsupported charset:Can not delete output folderCan not delete output fileCan not rename existing fileCan not create file with auto nameSeSecurityPrivilege
Source: Xworm V5.6.exe	String found in binary or memory: [ Play ]9StopToolStripMenuItem1.Image-StopToolStripMenuItem1
Source: Xworm V5.6.exe	String found in binary or memory: [ Extra 1 ]IReportWindowToolStripMenuItem1.Image=ReportWindowToolStripMenuItem1![ ReportWindow ]9StartToolStripMenuItem.Image-StartToolStripMenuItem7StopToolStripMenuItem.Image+StopToolStripMenuItemGPerformanceToolStripMenuItem1.Image;PerformanceToolStripMenuItem1
Source: Xworm V5.6.exe	String found in binary or memory: -Plugins\Ransomware.dll1Plugins\ReverseProxy.dll7Plugins\Ngrok-Installer.dll
Source: Xworm V5.6.exe	String found in binary or memory: cActiveWindows.dll,Chat.dll,Clipboard.dll,FileManager.dll,FilesSearcher.dll,HRDP.dll,HVNC.dll,Informations.dll,Keylogger.dll,Maps.dll,Microphone.dll,Ngrok-Installer.dll,Options.dll,Pastime.dll,Performance.dll,ProcessManager.dll,Programs.dll,Ransomware.dll,Chromium.dll,Recovery.dll,Stealer.dll,Regedit.dll,RemoteDesktop.dll,ReverseProxy.dll,RunPE.dll,Shell.dll,StartupManager.dll,TCPConnections.dll,UACBypass.dll,VB.NET Compiler.dll,WebCam.dll,WSound.dll,ServiceManager.dll,MessageBox.dll,HVNCMemory.dll,Cmstp-Bypass.dll,HiddenApps.dll,HBrowser.dll,VoiceChat.dll

Source: C:\Users\user\Desktop\Xworm V5.6.exe

File read: C:\Users\user\Desktop\Xworm V5.6.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Xworm V5.6.exe "C:\Users\user\Desktop\Xworm V5.6.exe"
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7264 -s 1268

Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Xworm V5.6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Xworm V5.6.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Xworm V5.6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Xworm V5.6.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Xworm V5.6.exe

Static file information: File size 15602688 > 1048576

Source: Xworm V5.6.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0xebec00

Source: Xworm V5.6.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.pdbL$0H source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: System.Runtime.Remoting.ni.pdbRSDS-L source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdbX source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: Xworm V5.6.exe, 00000000.00000002.1954538675.0000020B26B77000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: System.Runtime.Remoting.pdb source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: PC:\Windows\Microsoft.VisualBasic.pdb source: Xworm V5.6.exe, 00000000.00000002.1953599922.00000031A3760000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: System.Runtime.Remoting.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: Xworm V5.6.exe, 00000000.00000002.1954538675.0000020B26B1C000.00000004.00000020.00020000.00000000.sdmp, Xworm V5.6.exe, 00000000.00000002.1962772586.0000020B432E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb4 source: Xworm V5.6.exe, 00000000.00000002.1962772586.0000020B432E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbL0 source: Xworm V5.6.exe, 00000000.00000002.1954538675.0000020B26B77000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.pdb source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbiewCtlR& source: Xworm V5.6.exe, 00000000.00000002.1954538675.0000020B26B77000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbLQ]ZL source: Xworm V5.6.exe, 00000000.00000002.1962772586.0000020B432E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: Xworm V5.6.exe, 00000000.00000002.1962772586.0000020B432E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbent source: Xworm V5.6.exe, 00000000.00000002.1962772586.0000020B432E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdb source: Xworm V5.6.exe, 00000000.00000002.1953599922.00000031A3760000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdber source: Xworm V5.6.exe, 00000000.00000002.1962772586.0000020B432E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.pdb) source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: symbols\dll\Microsoft.VisualBasic.pdb` source: Xworm V5.6.exe, 00000000.00000002.1953599922.00000031A3760000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER5E5E.tmp.dmp.4.dr

Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected RUNPE

Source: Yara match	File source: Xworm V5.6.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1706082399.0000020B26659000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xworm V5.6.exe PID: 7264, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Xworm V5.6.exe

Binary or memory string: IF GETMODULEHANDLE("SBIEDLL.DLL").TOINT32() <> 0 THEN

Source: C:\Users\user\Desktop\Xworm V5.6.exe	Memory allocated: 20B26BD0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Memory allocated: 20B404D0000 memory reserve \| memory write watch			Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Xworm V5.6.exe	Binary or memory string: If (manufacturer = "microsoft corporation" AndAlso item("Model").ToString().ToUpperInvariant().Contains("VIRTUAL")) OrElse manufacturer.Contains("vmware") OrElse item("Model").ToString() = "VirtualBox" Then
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Xworm V5.6.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Xworm V5.6.exe, type: SAMPLE
Source: Yara match	File source: Process Memory Space: Xworm V5.6.exe PID: 7264, type: MEMORYSTR

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match

File source: Xworm V5.6.exe, type: SAMPLE

Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Users\user\Desktop\Xworm V5.6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Xworm V5.6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: Xworm V5.6.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xworm V5.6.exe PID: 7264, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: Xworm V5.6.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1706082399.0000020B26659000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xworm V5.6.exe PID: 7264, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: Xworm V5.6.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xworm V5.6.exe PID: 7264, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: Xworm V5.6.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1706082399.0000020B26659000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xworm V5.6.exe PID: 7264, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Xworm V5.6.exe	72%	ReversingLabs	ByteCode-MSIL.Backdoor.XWormRAT
Xworm V5.6.exe	100%	Avira	TR/AVI.XWorm.snnqo
Xworm V5.6.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.apache.org/licenses/LICENSE-2.0	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
http://exmple.com	0%	Avira URL Cloud	safe
https://www.google.com/maps/place/)icons8-letter-16.png	0%	Avira URL Cloud	safe
https://pastebin.com/raw/H3wFXmEi	0%	Avira URL Cloud	safe
https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-windows-386.zip	0%	Avira URL Cloud	safe
https://t.me/XCoderGroup	0%	Avira URL Cloud	safe
https://evilcoder.mysellix.io	0%	Avira URL Cloud	safe
http://ip-api.com/csv/?fields=status	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://exmple.com	Xworm V5.6.exe	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot	Xworm V5.6.exe	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/maps/place/)icons8-letter-16.png	Xworm V5.6.exe	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pastebin.com/raw/H3wFXmEi	Xworm V5.6.exe	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-windows-386.zip	Xworm V5.6.exe	false	Avira URL Cloud: safe	unknown
https://evilcoder.mysellix.io	Xworm V5.6.exe	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t.me/XCoderGroup	Xworm V5.6.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Xworm V5.6.exe, 00000000.00000002.1955467069.0000020B28544000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com/csv/?fields=status	Xworm V5.6.exe	false	Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	Xworm V5.6.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1473530
Start date and time:	2024-07-15 14:27:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Xworm V5.6.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 12 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Execution Graph export aborted for target Xworm V5.6.exe, PID 7264 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: Xworm V5.6.exe

Simulations

Behavior and APIs

Time	Type	Description
08:28:28	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Xworm V5.6.exe_cf9afbc01e41f39085d44e42fe55b10f1508dcd_6ddd3646_d5f1b510-4c45-4282-b213-0ab94f687708\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1850826667134688
Encrypted:	false
SSDEEP:	192:Ba3muJCeFOnf0NSVFU2HaWz8zvl/gCZFazqrzuiF1Z24lO8cn:wZCeNSVFBa48xwqrzuiF1Y4lO8O
MD5:	2EB7406339B5FBA492A00B843D6DBF76
SHA1:	566A2C23D7D929C17CC6BCC9B5AEBB808BE17E3B
SHA-256:	5FE4C2E3B40C1DB251F20C286057D9CFF76A35BC622E9C11105AA9B0C6828445
SHA-512:	C05A249D49870CCC7CFCA7B0FDA271EB087A78E0BD8EC62D676C67247192976CAA6EE67E3C24136A499A2BEA7AC409721703BE0A40A5E19A3B1D798785E58D16
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.5.5.2.0.0.9.1.9.9.4.9.3.4.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.5.5.2.0.0.9.2.6.1.9.9.5.1.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.f.1.b.5.1.0.-.4.c.4.5.-.4.2.8.2.-.b.2.1.3.-.0.a.b.9.4.f.6.8.7.7.0.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.0.1.0.9.e.9.4.-.6.8.f.7.-.4.6.1.b.-.a.4.6.8.-.0.e.5.2.0.e.9.6.7.e.7.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.X.w.o.r.m. .V.5...6...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.X.W.o.r.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.6.0.-.0.0.0.1.-.0.0.1.4.-.3.f.0.7.-.8.6.7.0.b.2.d.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.1.d.b.3.d.3.1.e.2.f.6.7.3.b.3.e.4.4.3.2.3.2.b.0.d.6.1.e.4.c.b.0.0.0.0.0.0.0.0.!.0.0.0.0.5.b.0.1.b.9.0.1.3.7.8.7.1.c.3.c.8.f.0.d.0.4.f.5.1.0.c.4.d.5.6.b.2.3.9.3.2.c.b.c.!.X.w.o.r.m. .V.5...6...e.x.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E5E.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Mon Jul 15 12:28:12 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	509043
Entropy (8bit):	3.5629064491677997
Encrypted:	false
SSDEEP:	3072:lNAVd7+SUuCSPt4XbAvcS3xq0+1CCqEFoDuKTyBmr6vUPk5yzUb6c9XGwP3+vbtp:yd7+3alMbMBqfqYK69Xp3QRCg
MD5:	49388C0D1940D321B1B72F8D2940CE17
SHA1:	C77BEA0A2106D77AAD011FA7F6C1763ACA96A03F
SHA-256:	A4CA919C3DE4EDFBD4AD2766B86732043E23EDB15D2E5E3432E25A59BA9A4D21
SHA-512:	68F60C52447AD4A24314ABEA5C40E31D414C5F08433C4155BDB4BEE5317CB2B7E662A254FED5B12ECCCFF2E8A8D7F5EC34D4ABCC7A7FAAD9FEBE80541ADC0D8C
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f............t.......................$...T#..........x#......$>..............l.......8...........T............1..............x1..........d3..............................................................................eJ.......3......Lw......................T.......`......f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5FD6.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9928
Entropy (8bit):	3.7089572495212333
Encrypted:	false
SSDEEP:	192:R6l7wVeJpELO6Y9YgLsgmfZf1yitoprj89bPcf5ftFm:R6lXJeO6YygQgmfTt5Ps5fu
MD5:	15A86B3FED1E4EEF19A7FAA5070CFAB7
SHA1:	EE398D48CE2E7A6E7FA5BC5A4D2658659E34E099
SHA-256:	B884D5614E3FA2A884820DBE702869246891FFE48FA633C14FD5C25A92C0A45E
SHA-512:	9A6268DEF71D500D1714050A33C260A2438D61DDD4C0029E986E4EE4B7923FB9AF777E7B7C6A00A4EF16870BC34F21E005734F30F4BB98FACECE7FAB1B8E5B4E
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6025.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4800
Entropy (8bit):	4.455892197934221
Encrypted:	false
SSDEEP:	48:cvIwWl8zsWJg771I9HsWpW8VYsYm8M4J0r7RnFQyq8vy7Rhqg6sojSCwS2d:uIjfsI7IF7VIJ0rcWyqg6bSCwS2d
MD5:	2E8CD838E57A71E62C550C33ACC5A66A
SHA1:	CD7C011A576759171F18103D91EDF61C2F830655
SHA-256:	63267A6EC3C28811998A8C009BD6147A10B6EDCA4070222ACAA7A5228DCE7336
SHA-512:	55C347CF03B33E82AC5E2BD58DD9728CA504B415EBA925097064B219CED3517B1F3004213180BC7AA52562EA3F3E3BC15D58B7146237A302E23C4AAE1DE957FB
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="412050" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4655341640286625
Encrypted:	false
SSDEEP:	6144:IIXfpi67eLPU9skLmb0b4NWSPKaJG8nAgejZMMhA2gX4WABl0uNNdwBCswSbh:dXD94NWlLZMM6YFHz+h
MD5:	1824883AC44562D2D9F14C87B94BE9CB
SHA1:	C8981EC11A6CF7F28C897B3B447C7964BDBA254C
SHA-256:	89EF69EF651AB5B16FFD332EB668ABA8CF8666DA8003195864B4A09380F2F4C7
SHA-512:	08E9E39462E5EB6A6521607807D0EBEC887D92465A772FD80656D7923A9372E3FCD3ED722113BF5BD214FDCF1799EB89E580C20089220529338BACDF7792C34A
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmn.%u................................................................................................................................................................................................................................................................................................................................................z.3A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.551455370993597
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Xworm V5.6.exe
File size:	15'602'688 bytes
MD5:	56ccb739926a725e78a7acf9af52c4bb
SHA1:	5b01b90137871c3c8f0d04f510c4d56b23932cbc
SHA256:	90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405
SHA512:	2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1
SSDEEP:	196608:P4/BAe1d4ihvy85JhhYc3BSL1kehn4inje:PuyIhhkRka4i
TLSH:	0EF69D107BD68006E47269B00A946AE199BEBEAF2B15D8AD30C4335C17F64CCF953BF5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.........."...0......&........... ... ....@.. ....................................`................................

File Icon


Icon Hash:	71331b969f1b1371

Static PE Info

General

Entrypoint:	0x12c0b9e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x65EB89ED [Fri Mar 8 21:58:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xec0b4c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xec2000	0x223ae	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xee6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xebeba4	0xebec00	c73b8400047076f819f0a34dd3e991d1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xec2000	0x223ae	0x22400	a7a7c947b38ceefba36d1e99792f8c0b	False	0.45502109945255476	data	5.558879950134356	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xee6000	0xc	0x200	d6009659c0c7ac96ce7e89890f2b2b64	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xec2220	0x9738	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9994058689811944
RT_ICON	0xecb958	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m	0.2102064355849994
RT_ICON	0xedc180	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2834 x 2834 px/m	0.2754487482286254
RT_ICON	0xee03a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	0.33682572614107886
RT_ICON	0xee2950	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	0.42401500938086306
RT_ICON	0xee39f8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	0.6941489361702128
RT_GROUP_ICON	0xee3e60	0x5a	data	0.7666666666666667
RT_VERSION	0xee3ebc	0x308	data	0.44458762886597936
RT_MANIFEST	0xee41c4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	08:28:04
Start date:	15/07/2024
Path:	C:\Users\user\Desktop\Xworm V5.6.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Xworm V5.6.exe"
Imagebase:	0x20b259c0000
File size:	15'602'688 bytes
MD5 hash:	56CCB739926A725E78A7ACF9AF52C4BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1706082399.0000020B26659000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_RUNPE, Description: Yara detected RUNPE, Source: 00000000.00000000.1706082399.0000020B26659000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:28:11
Start date:	15/07/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7264 -s 1268
Imagebase:	0x7ff6b7530000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFD9B882480 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1963339113.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Xworm V5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e54f3da808475e534c30219f6704bdff5a7bf06cad32d009c3b6ac100939d5
Instruction ID: 70f32b0e85d09fed3bc3d321f0b596907bfaf6bfa75b3ebe5125856a5aa8aa33
Opcode Fuzzy Hash: 53e54f3da808475e534c30219f6704bdff5a7bf06cad32d009c3b6ac100939d5
Instruction Fuzzy Hash: 2B51093770EA994FD716DBACA8745D43BA0EF85325B0905F7D1D8CF0E3D924994A8360

Function 00007FFD9B8809E0 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1963339113.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Xworm V5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 202add7dd519133999ac50d8047baac86144991be5be8a08a5d6a97273b4ec2f
Instruction ID: 5a1f3b7c1fb68d35ab97b03b8ad05b274ecdc88b07b88f9a1075258c86100788
Opcode Fuzzy Hash: 202add7dd519133999ac50d8047baac86144991be5be8a08a5d6a97273b4ec2f
Instruction Fuzzy Hash: 2B910134A15A1D8FDBA4EB68C451BA8B7B2FF58304F5140B9D01DE72A2DE35A986CF00

Function 00007FFD9B883360 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1963339113.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Xworm V5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d85c72378da36f306325d028252f45fa3290e272096228dcf070b7a1ec90e8b
Instruction ID: 8d40d360fe0e95651fa0faf145f78e10029d3f6c691754cc4c4f49d11f84b82e
Opcode Fuzzy Hash: 3d85c72378da36f306325d028252f45fa3290e272096228dcf070b7a1ec90e8b
Instruction Fuzzy Hash: CF81FD71A1995D8FDBA8EF58C8A4BA8B7F1FF58301F5001B9E01DD72A5DE35A981CB00

Function 00007FFD9B882510 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1963339113.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Xworm V5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4ffd3179ddd9518edc3023fb02c9cd47cbef0c8aab7b760fbaef41e2856ead
Instruction ID: 64565c4b387b406b7712cc55780bcb246bf457e5b518179265c4f7d6da941cc9
Opcode Fuzzy Hash: cf4ffd3179ddd9518edc3023fb02c9cd47cbef0c8aab7b760fbaef41e2856ead
Instruction Fuzzy Hash: D031D83260EAC94FDB52DFAC98B45A47FA0EF46311B0900F7D498CB1E7DA249945C711

Function 00007FFD9B882540 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1963339113.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Xworm V5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbec11c820530093df72313111cc80776929696f1213168a716b05ae63e9a766
Instruction ID: e242f58c70e874489db035ea9699ad9a1186f58ee8090bb2d266e95f8051ea7b
Opcode Fuzzy Hash: fbec11c820530093df72313111cc80776929696f1213168a716b05ae63e9a766
Instruction Fuzzy Hash: A921B13160EACD4FDB66DB6C88745A87FA0EF46314B0900FBD498CB1A7DA399945C711

Function 00007FFD9B880B43 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1963339113.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Xworm V5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cd3327e334ffa79b86329ad0508e6ba30b37f6770f057a9847591bd8125588a
Instruction ID: fdca04ab8050ead8e8018a088520d9852b04d3e8649010ed70a3e9374c206318
Opcode Fuzzy Hash: 0cd3327e334ffa79b86329ad0508e6ba30b37f6770f057a9847591bd8125588a
Instruction Fuzzy Hash: B151C970A15A5C8FDBA4EF68C494BA8B7B2FF58301F1040A9D01DE76A2DB35AD85CF00

Function 00007FFD9B8834CE Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1963339113.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Xworm V5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f1fe88a436abb159f52b93374493346505341b19858c06a8bb91d3489997b2
Instruction ID: da9d8a217d0fba4cccb487eea609c431914b6820cb09160b274475a937d8d556
Opcode Fuzzy Hash: f8f1fe88a436abb159f52b93374493346505341b19858c06a8bb91d3489997b2
Instruction Fuzzy Hash: DE41EC70A1895D8FDF98EF58C8A4BADB7B1FF58304F5400A9E01DD3296DE35A981CB01

Function 00007FFD9B883698 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1963339113.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Xworm V5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea54ac743d570a54ed733f511ec88d2ed840df1292c672d6a26dcc982aae3c27
Instruction ID: 8a9303fd763e7899f63c6c92b0cff8c4bce8ab058c285722535182f7721e9493
Opcode Fuzzy Hash: ea54ac743d570a54ed733f511ec88d2ed840df1292c672d6a26dcc982aae3c27
Instruction Fuzzy Hash: 2F31C770A0892D8FDBA5EF18C855BE8B7B1FF68304F5041F9905DE3295DA706E818F40

Function 00007FFD9B881932 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1963339113.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Xworm V5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d2873380cb3ad9985e073ebfa34c405221f4bc517df7359edf959d7e7c6138
Instruction ID: 6dce0a4d9b41daf81fadb48df37164b9a1ab5c0f7f43fe2f9f562144d854c25c
Opcode Fuzzy Hash: 23d2873380cb3ad9985e073ebfa34c405221f4bc517df7359edf959d7e7c6138
Instruction Fuzzy Hash: BE212572A0EA8E4FE715E7689C252E87BE1EF49310F4901B7D058D71E3DE3869048391

Function 00007FFD9B8808B1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1963339113.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Xworm V5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5308e35ee87bf93fdd84115fdc17046c1570f5fc9d9aa62db2ff38bfd41c898
Instruction ID: 1882ace31b1241efc5f5ef4375d1fc0ff9bd6674d0376dc02232dc29b09fe504
Opcode Fuzzy Hash: a5308e35ee87bf93fdd84115fdc17046c1570f5fc9d9aa62db2ff38bfd41c898
Instruction Fuzzy Hash: 1D117C70A1AA4E8FEB54EF6488655FD3AB0FF09301F41057AE02DD62D2DB385A40CB81

Function 00007FFD9B880CB4 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1963339113.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Xworm V5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb9bcede94f542ab14877c829f3d6491b5ffaf4f80adda6ad711e3078189126
Instruction ID: 1d527cf50c4ad0bbb6c7ac2e7bd745c90f11ba10ca49d2f7215a4a00c8004b66
Opcode Fuzzy Hash: 1eb9bcede94f542ab14877c829f3d6491b5ffaf4f80adda6ad711e3078189126
Instruction Fuzzy Hash: B9E0E534E1492D8ACB64DB64D8116ACB3B1FF88304F5021B9C01DE7186CB326946CB40

Function 00007FFD9B8832C3 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1963339113.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Xworm V5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e24cc3e4cddf22ce4c421beba96646f445adba642d13376c5295910f513cadb8
Instruction ID: be7ac31f5e82c08ac69a1af9e4139e79e939409c4e0f4ff72d6b66dfea329de7
Opcode Fuzzy Hash: e24cc3e4cddf22ce4c421beba96646f445adba642d13376c5295910f513cadb8
Instruction Fuzzy Hash: 70E0EC3491488E8FCF84EF48C850BEEB3B0FB18300F0046A1E41DD3155DA30E5908B80

Source: Xworm V5.6.exe	String found in binary or memory: http://exmple.com
Source: Xworm V5.6.exe	String found in binary or memory: http://ip-api.com/csv/?fields=status
Source: Xworm V5.6.exe	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: Xworm V5.6.exe, 00000000.00000002.1955467069.0000020B28544000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Xworm V5.6.exe	String found in binary or memory: https://api.telegram.org/bot
Source: Xworm V5.6.exe	String found in binary or memory: https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-windows-386.zip
Source: Xworm V5.6.exe	String found in binary or memory: https://evilcoder.mysellix.io
Source: Xworm V5.6.exe	String found in binary or memory: https://pastebin.com/raw/H3wFXmEi
Source: Xworm V5.6.exe	String found in binary or memory: https://t.me/XCoderGroup
Source: Xworm V5.6.exe	String found in binary or memory: https://www.google.com/maps/place/)icons8-letter-16.png

Source: Xworm V5.6.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: Xworm V5.6.exe PID: 7264, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: Xworm V5.6.exe, 00000000.00000000.1710434997.0000020B26882000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXWorm.exe, vs Xworm V5.6.exe
Source: Xworm V5.6.exe, 00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7z.exe, vs Xworm V5.6.exe
Source: Xworm V5.6.exe, 00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs Xworm V5.6.exe
Source: Xworm V5.6.exe, 00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: teTEexe dll sysPEVFT2_FONT_TRUETYPEVFT2_FONT_VECTORVFT2_FONT_RASTERVERSIONED_PRINTERINPUTMETHODCOMMSOUNDINSTALLABLESYSTEMNETWORKMOUSEDISPLAYLANGUAGEKEYBOARDPRINTERVFT_STATIC_LIB0x6VFT_VXDVFT_FONTVFT_DRVVFT_DLLVFT_APPVFT_UNKNOWNVOS__WINDOWS32VOS__PM32VOS__PM16VOS__WINDOWS16VOS__BASEVOS_WINCEVOS_NTVOS_OS232VOS_OS216VOS_DOSVOS_UNKNOWNVOS_NT_WINDOWS32VOS_OS232_PM32VOS_OS216_PM16VOS_DOS_WINDOWS32VOS_DOS_WINDOWS16SPECIALBUILDINFOINFERREDPRIVATEBUILDPATCHEDPRERELEASEImage BaseHeap CommitHeap ReserveStack CommitStack ReserveDLL CharacteristicsSubsystemSubsystem VersionImage VersionOS VersionLinker VersionUninitialized Data SizeInitialized Data SizeCode SizeFile AlignmentSection AlignmentImage SizeMANIFESTHTMLANIICONANICURSORVXDPLUGPLAYDLGINCLUDEVERSIONGROUP_ICONGROUP_CURSORMESSAGETABLERCDATAACCELERATORFONTFONTDIRSTRINGDIALOGMENUICONBITMAPCURSORXBOXEFI ROMEFI RuntimeEFI BootWindows CEPosixWindows CUIWindows GUINativeCEEM32RCEFTriCoreMIPS-FPU16MIPS-FPUAlpha-64MIPS-16PPC-FPPPCAM33ARM-NTARM-ThumbSH5SH4SH3ESH3-DSPSH3MIPS-V2MIPS-R10000MIPS-R4000MIPS-R3000I860SharedNotPagedNotCachedDiscardableExtendedRelocationsGPCOMDATRemoveCommentsUninitializedDataInitializedDataCodeNoPadTerminalServerAwareWDMNoBindNoSEHNoIsolationNX-CompatibleIntegrityRelocatedBig-EndianLittle-EndianUniCPUSystemNetRunRemovableRunNoDebugInfoAggressiveWsTrimNoLocalSymsNoLineNumsNoRelocsLargeAddress32-bitDLLExecutableChecksum errorefi[].ico.bmpversion.txtstring.txt.debugVFT2_DRV_FILESUBTYPE FILETYPE FILEOS VS_FF_ \| FILEFLAGS FILEFLAGSMASK ProductVersionFileVersionPRODUCTVERSION FILEVERSION .rsrc_1StringFileInfo, TranslationVALUEVarFileInfoBLOCKVS_VERSION_INFOFileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs Xworm V5.6.exe
Source: Xworm V5.6.exe, 00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7z.dll, vs Xworm V5.6.exe
Source: Xworm V5.6.exe	Binary or memory string: OriginalFilename7z.exe, vs Xworm V5.6.exe
Source: Xworm V5.6.exe	Binary or memory string: OriginalFilename vs Xworm V5.6.exe
Source: Xworm V5.6.exe	Binary or memory string: teTEexe dll sysPEVFT2_FONT_TRUETYPEVFT2_FONT_VECTORVFT2_FONT_RASTERVERSIONED_PRINTERINPUTMETHODCOMMSOUNDINSTALLABLESYSTEMNETWORKMOUSEDISPLAYLANGUAGEKEYBOARDPRINTERVFT_STATIC_LIB0x6VFT_VXDVFT_FONTVFT_DRVVFT_DLLVFT_APPVFT_UNKNOWNVOS__WINDOWS32VOS__PM32VOS__PM16VOS__WINDOWS16VOS__BASEVOS_WINCEVOS_NTVOS_OS232VOS_OS216VOS_DOSVOS_UNKNOWNVOS_NT_WINDOWS32VOS_OS232_PM32VOS_OS216_PM16VOS_DOS_WINDOWS32VOS_DOS_WINDOWS16SPECIALBUILDINFOINFERREDPRIVATEBUILDPATCHEDPRERELEASEImage BaseHeap CommitHeap ReserveStack CommitStack ReserveDLL CharacteristicsSubsystemSubsystem VersionImage VersionOS VersionLinker VersionUninitialized Data SizeInitialized Data SizeCode SizeFile AlignmentSection AlignmentImage SizeMANIFESTHTMLANIICONANICURSORVXDPLUGPLAYDLGINCLUDEVERSIONGROUP_ICONGROUP_CURSORMESSAGETABLERCDATAACCELERATORFONTFONTDIRSTRINGDIALOGMENUICONBITMAPCURSORXBOXEFI ROMEFI RuntimeEFI BootWindows CEPosixWindows CUIWindows GUINativeCEEM32RCEFTriCoreMIPS-FPU16MIPS-FPUAlpha-64MIPS-16PPC-FPPPCAM33ARM-NTARM-ThumbSH5SH4SH3ESH3-DSPSH3MIPS-V2MIPS-R10000MIPS-R4000MIPS-R3000I860SharedNotPagedNotCachedDiscardableExtendedRelocationsGPCOMDATRemoveCommentsUninitializedDataInitializedDataCodeNoPadTerminalServerAwareWDMNoBindNoSEHNoIsolationNX-CompatibleIntegrityRelocatedBig-EndianLittle-EndianUniCPUSystemNetRunRemovableRunNoDebugInfoAggressiveWsTrimNoLocalSymsNoLineNumsNoRelocsLargeAddress32-bitDLLExecutableChecksum errorefi[].ico.bmpversion.txtstring.txt.debugVFT2_DRV_FILESUBTYPE FILETYPE FILEOS VS_FF_ \| FILEFLAGS FILEFLAGSMASK ProductVersionFileVersionPRODUCTVERSION FILEVERSION .rsrc_1StringFileInfo, TranslationVALUEVarFileInfoBLOCKVS_VERSION_INFOFileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs Xworm V5.6.exe
Source: Xworm V5.6.exe	Binary or memory string: OriginalFilename7z.dll, vs Xworm V5.6.exe
Source: Xworm V5.6.exe	Binary or memory string: OriginalFilenameXWorm.exe, vs Xworm V5.6.exe

Source: Xworm V5.6.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: Xworm V5.6.exe PID: 7264, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: Xworm V5.6.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Xworm V5.6.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Xworm V5.6.exe, ToolsBox.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Xworm V5.6.exe, Builder.cs	Cryptographic APIs: 'TransformFinalBlock'

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Xworm V5.6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Xworm V5.6.exe_cf9afbc01e41f39085d44e42fe55b10f1508dcd_6ddd3646_d5f1b510-4c45-4282-b213-0ab94f687708\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E5E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5FD6.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6025.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
Xworm V5.6.exe